Malware-authors create millions of new unique malware samples every year to bypass web filters and antivirus software. But did you know that every exploit attack (to deliver malware) must use the exact same techniques to exploit software vulnerabilities? And that there are only a dozen offensive techniques to make this happen? Also, did you know that depending on the vulnerability, attackers are bound to chain 2 to 5 of these techniques to even get to the stage to deliver the malware?

As many of you know, our recently released HitmanPro.Alert 3 is purpose built to disrupt attackers during every stage of their attack – from exploitation to exfiltration. Instead of depending on prior knowledge of attacks (aka signatures), HitmanPro.Alert concentrates on the techniques required to exploit and compromise a computer from remote. If you are able to block attacks at the exploit stage, malware doesn’t even reach the machine in the first place.

Exploit Techniques
Some of the offensive techniques that help and make exploitation possible are called Heap Spray, Stack Pivot, Return-Oriented Programming (ROP) and Vtable Hijacking. Many of these techniques are necessary and chained to evade defensive technologies like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) that protect modern operating systems. The ability to detect and block the offensive exploit techniques in real-time puts HitmanPro.Alert in an excellent position against zero-day attacks from both nation-state attackers as well as skilled cybercriminals.

But like with malware and depending on resources like skill, time and money, there are attackers that take the easy road and there are those that want or need to go the extra mile. The recent exploit attacks on CVE-2015-3113, a previously unknown vulnerability in Adobe Flash Player, is an excellent example.

Operation Clandestine Wolf
Discovered by FireEye and coined Operation Clandestine Wolf, this attack was crafted by a nation-state attacker they call APT3, apparently a China-based threat group. And with most discovered zero-day attacks, it didn’t take long before cybercriminals heard of it and included an attack for this vulnerability in their exploit kits, to increase the success rates of their attacks (it took them only four days as revealed by security researcher Kafeine from Malware Don’t Need Coffee).

Significant differences
But there are significant differences between the APT3 exploit attack and the code in exploit kits that abuse CVE-2015-3113. APT3’s code is not only meticulously crafted to bypass standard defense techniques, it is also designed to evade Anti-Exploit solutions. So even though Anti-Exploit vendors blogged about the vulnerability and mentioned that their “users were already protected against this threat”, this is in fact not the case for the original APT3 variant! And this is actually true for most exploits. When you have sufficient skills and resources, even old existing exploits can be re-weaponized to evade anti-exploit solutions. This means that even though when it sounds or looks like other security solutions offer identical mitigations or layers, e.g. our Dynamic Heap Spray and Hardware-assisted Control-Flow Integrity mitigations (as well as our many Risk Reduction features) make a significant difference against well-funded attackers.

But let’s discuss and compare the versions crafted by the APT3 nation-state hackers and the attack inside the Angler exploit kit.

APT3
As mentioned by FireEye, the actual exploit was RC4 encrypted inside the hp.swf file, so we had to decrypt it to reveal the perpetrating code. From the decrypted code we can see that it includes a progress indication using GIF files, that help the exploit author debug his attack as it reveals at what stage the attack fails. When the attack succeeds, the exploit retrieves a file named logoshow.gif, using a hardcoded URL in de ActionScript code (an IoC or Indicator of Compromise):

Figure: Hardcoded link in APT3’s ActionScript code

Heap Spray
The APT3 attack employs a heap spray to facilitate arbitrary code execution. Although many Anti-Exploit solutions offer Anti-Heapspraying, few people know how most heapspray mitigations work. They simply pre-allocate memory areas often used by attackers so they cannot use these ranges to setup their heap spray. Naturally, APT3 stayed clear of these memory areas which explains why most Anti-Exploit solutions do not stop the attack with their heap spray mitigation.

Unlike these solutions, the Dynamic Heap Spray feature of HitmanPro.Alert 3 is an active mitigation. It is not so easily bypassed since our technology actually analyzes and compares the contents of the memory blocks allocated and sprayed by the exploit attack. HitmanPro.Alert 3 stops the exploit even before it gains control of code execution:

Figure: HitmanPro.Alert intercepted APT3’s Heap Spray technique

Arbitrary Code Execution
But it’s getting interesting when you look at how the nation-state attacker controls code execution without triggering Stack Pivot and typical ROP mitigations. In most recent Flash based exploits, the exploit hijacks the vtable of a built-in object of Adobe Flash Player, e.g. the Sound object, so that a ROP chain can be started for example via an invocation of Sound.toString().

This APT3 exploit uses a different technique to trigger its ROP chain. A custom class is defined in the ActionScript which has a method that takes a large number of parameters.

The method in the custom class enables the attacker to provide ROP gadgets as parameters to the function, which results in the ROP chain ending up on the current stack! This way, there is no need for the attacker to pivot the stack to a heap location that is outside the stack range of the current thread, which would be detected by most Anti-Exploit tooling.

By overwriting the function pointer so that it points to a gadget that moves the stack pointer to the beginning of the ROP chain, located on the stack, the attacker can trigger the start of the ROP chain.

There are a lot (46) of ‘dummy’ gadgets (6cebb68b) on the stack which only perform a RETurn.

6cebb68b c3 ret

This makes sure that stack-analysis will show a call-stack that contains ‘valid’ return addresses up to a very deep call-depth.
The first non-dummy gadget (6cebb68a) pops the address 1f140100 into EAX.

6cebb68a 58 pop eax
6cebb68b c3 ret

The following gadget performs a memory allocation, which makes a specific memory range, starting at 1f140000 on the heap executable. This range is under control of the attacker and already contains the shellcode. However, due to DEP, it is not executable (yet).

This gadget, which is legitimate code located in the Flash DLL, performs a seemingly ‘valid’ call to VirtualAlloc in the way as described by Jared DeMott of Bromium, in the technical whitepaper ‘Bypassing EMET 4.1’. An Anti-Exploit tool based on stack analysis will conclude that the call to VirtualAlloc was legitimate and will not detect a ROP attack in progress at this stage.

It contains 9 times the dummy gadget 6cebb68b, which only performs a ‘RET’. After that, it contains 2 times another dummy gadget (6d4b6da7). However, this gadget has the nice property that it is call-preceded.

The ActionScript has placed the base address of kernel32.dll and the address of GetProcAddress into the shellcode, so that it can call this function to obtain other system functions of kernel32 without triggering anti-exploit software. One can also see that the shellcode immediately resolves the address of the function ‘SetThreadContext’. This is a very interesting function that can modify the debug register, which can disable functions that depend on them, like Microsoft EMET’s EAF mitigation.

Anti-Exploit solutions that analyze the stack (which is under the control of the attacker) are fooled by the tricks deployed by the APT3 exploit. However the hardware-assisted Control-Flow Integrity feature of HitmanPro.Alert 3 reveals the ROP attack and is immune to the stack manipulations performed by this exploit. The following figure shows how HitmanPro.Alert 3 detects and blocks the ROP attack using Intel® hardware-assistance.

Angler Exploit KitThe version used by the Angler exploit kit is different. Of course it uses the same vulnerability in Adobe Flash Player (CVE-2015-3113) to corrupt a vector on the heap to bypass ASLR, but it uses a different set of exploit techniques compared to the APT3 version.

The exploit deployed by the Angler exploit kit uses so-called Vtable Hijacking to start its ROP chain. A fake object with a crafted vtable is created on the heap:

This fake object contains a pointer to its vtable at offset 0, so the vtable starts at 0857c040.
And from within the Flash ActionScript a method of this fake object is called. This executes the following code:

At the time of the call, ECX contains the address of the object (0857c000) and EAX contains the start address of the vtable. The call [eax+8] is the actual call of the method in the vtable, which in this case is a call to [0857c040+8] -> 6cab4745

If we take a look at the instructions that are located at this address, we can see that these will perform a stack pivot.

But after the stack pivot, the actual ROP chain, beginning at location 0857c040, will start. The first gadget, located at 6ca9f992, will advance the stack pointer to the location behind the stack pivot gadget address.

6ca9f992 83c408 add esp,8
6ca9f995 c3 ret

This adds 8 to skip past the stack pivot gadget which means that the stack pointer now points to 0857c04c, so the next gadget that will be executed is located at 6cac4788.

6cac4788 95 xchg eax,ebp
6cac4789 c3 ret

EBP now points to a location that is on the current stack and lies before the current position in the ROP chain.
The next gadget in line starts at address 6cc334a6 which swaps the contents of EDI and EAX.

6cc334a6 97 xchg edi,eax
6cc334a7 c3 ret

Now the following gadget that will execute is the one that will make the contained shellcode executable (DEP bypass). It starts at address 6d096dd9.

This gadget, which is legitimate code located in the Flash DLL, performs a seemingly valid call to VirtualAlloc in the way as described by Jared DeMott of Bromium, in the technical whitepaper Bypassing EMET 4.1. When the allocation returns, it falls directly into the shellcode at address 0857c06c.

The shellcode is located on the heap directly after the ROP chain, starting at location 857c06c.

Summary
APT3’s attack on CVE-2015-3113 doesn’t perform a stack pivot as the gadgets are placed on the current stack. In addition, it never falls directly onto critical functions or shellcode and uses return addresses that seem legitimate to foil Anti-Exploit heuristics. Compared, the techniques that are used in the Angler exploit kit are rather straightforward and will be detected and blocked by most (commercial) Anti-Exploit tools.

While evaluating both attacks I can’t help but think that APT3’s zero-day attack on CVE-2015-3113 is proofing the same point that we tried to convey and demonstrated with our example attack on an artificial zero-day vulnerability in Firefox 29.0, for MRG Effitas’ Real World Exploit Prevention Test (March 2015). Some people said it was unfair and unrealistic that MRG Effitas included our special crafted version in their test, but it turns out we did not have to wait long before a skilled attacker proofed our point as well: with enough time, effort and money, a knowledgable attacker can bypass Anti-Exploit solutions. But with unique features like our Hardware-assisted Control-Flow Integrity, HitmanPro.Alert raises the bar to new heights by further increasing the attacker’s costs, in effect avoiding future system compromise and reducing business disruption.

Users running HitmanPro.Alert 3 are and were already protected against both the nation-state version as well as the exploit kit version of the attack on CVE-2015-3113.

HitmanPro.Alert 3 has been very successful stopping hundreds of attacks from these sites. Blocking the exploit, preventing malware from entering the PC:

Contrary to antivirus technologies, the exploit mitigation technologies in HitmanPro.Alert require no updates, signatures or prior knowledge of exploit attacks or its payload to defend against it. Internet users do not need to seek refuge in ad blockers as HitmanPro.Alert allows safe use of the web without affecting ad revenue of site owners, publishers and journalists, especially when visitor/victim machines need to (or unknowingly) run outdated or vulnerable software.

Below an excerpt of the technical details of the blocked attacks which shows that many of the attacks originate from Adobe Flash Player:

Mistress Eve
Our telemetry shows that this specific attack took place between 2015-06-11 17:00 (CET) and 2015-06-15 16:30 (CET). Strikingly, the domain mistresseve.com seems to play a significant role in this attack.

Zooming in on this domain, we logged the following hostnames, which is an indication that the attackers have direct access to the DNS of this domain to create additional hosts:

cannonries-anumdecimal.mistresseve.com

hesiterionswonderbloem.mistresseve.com

klonensahasrabudhe.mistresseve.com

primerolereloc.mistresseve.com

prost.mistresseve.com

pyhnen.mistresseve.com

suierveer.mistresseve.com

The hostname pyhnen.mistresseve.com is also mentioned on the Malware Traffic Analysis website, who recorded an attack (.pcap and .zip with malware provided). The attack was carried out by the Angler Exploit Kit (as also confirmed by Fox-IT) and delivered the Bedep trojan through a vulnerability in Adobe Flash Player.

Angler Exploit KitThe Angler Exploit Kit itself abuses CVE-2013-7331, a vulnerability in Internet Explorer 6 through 11 to determine if the attack takes place inside a research environment, or in the presence of specific security software. If e.g. VMware or VirtualBox is detected, the exploit is not triggered in an attempt to stay under the radar of defenders:

An overview of the domains associated with this particular exploit kit deployment:

Bedep malwareThis Bedep trojan horse is delivered in-memory. This means that it infects the computer without writing any files to the disk for most antivirus software to find, scan or block. Researcher Kafeine wrote about the file-less Bedep infection on his website Malware Don’t Need Coffee in August last year.

Also, this trojan typically hoists-in additional malware to perform e.g. click-fraud, hurting advertising businesses. So, advertisers are not only put in a bad light because the ad platform is abused to infect thousands of internet users, they also loose money from the fraudulent ad clicks (the advertisers unknowingly pay the attackers).

But, as pointed out by Kafeine, the Angler Exploit Kit can serve each individual victim different malware.

This post is a follow up on our previous post regarding ransomware infecting user32.dll.

A new variant of the Department of Justice (DOJ) ransomware that embeds itself inside user32.dll is spreading.

This new variant has updated its tactics to avoid detection by antivirus programs. The following section shows an analysis of this new version and indicate the changes have been made.

Patched entrypoint
Just as the previous version, the ransomware patches the code in the entrypoint of user32.dll. But this time the malware authors tried to keep the entrypoint as original as possible. Most noticeably they replace the original CALL with a CALL to AlignRect. See the disassembled code below:

Furthermore, the code at AlignRects is modified so that it allocates a new block of executable memory after which it copies the encrypted payload from the resource section to this newly allocated memory. It uses the same technique as the previous version to obtain the address of NtAllocateVirtualMemory() to allocate a writeable/executable region of memory. This memory is used to copy the encrypted payload to, which also contains a small piece of code to decrypt the encrypted payload.

Removing the ransomware from your system
Victims can use HitmanPro.Kickstart to get rid of the police themed ransomware infection (including this new variant). If HitmanPro detects the ransomware it will query our cloud service to obtain a clean system file, which will be used to replace the infected one on your system.

If for some reason the specific version of your infected user32.dll cannot be obtained from the cloud service, you can manually copy a clean version of user32.dll onto the HitmanPro.Kickstart flash drive. If the version of the infected file on your disk matches that of the clean version on the flash drive, HitmanPro will use that version to replace the infected one on your Windows installation.

You need to retrieve the encrypted user32.ini by e.g. using a Hiren’s boot-cd or some other bootable medium that is able to access your Windows system disk. Once you have decrypted the file, you can simply copy it to the HitmanPro.Kickstart flash drive. Note that the file must be named user32.dll. Once the decrypted file has been placed on the flash drive, you can boot your system with the HitmanPro.Kickstart flashdrive and HitmanPro will use the manually decrypted user32.dll to replace the infected one on your system.

Note: When performing this action, make a copy of the infected user32.dll. In case something goes wrong with the procedure, you can always restore the infected file so your system will at least be able to boot correctly.

Over the past months we’ve been monitoring a new variant of the Department of Justice (DOJ) ransomware.

Till date there is nothing written about this new variant on the internet. This blog item aims to address this.

Analysis of this particular ransomware shows that the method to infect victims is different compared to previous ransomware samples. Instead of dropping an executable on the system it infects the Windows system DLL: user32.dll.

This file is typically located in:
C:\Windows\System32\user32.dll or
C:\Windows\SysWOW64\user32.dll

So far we’ve observed that the ransomware is only infecting the 32-bit version of user32.dll.

Static detection
Our support desk helped a victim in January 2014. Four months later, detection is still poor:

Resource sectionThe ransomware enlarges the resource section of user32.dll as can be seen in the table below:

Original user32.dll

Infected user32.dll

name

va

vsize

rawsize

name

va

vsize

rawsize

.text

0x1000

0x5f283

0x5f400

.text

0x1000

0x5f283

0x5f400

.data

0x61000

0x1180

0xc00

.data

0x61000

0x1180

0xc00

.rsrc

0x63000

0x2a088

0x2a200

.rsrc

0x63000

0x33a88

0x33c00

.reloc

0x8e000

0x2de4

0x2e00

.reloc

0x8e000

0x2de4

0x2e00

Analysis of the increased resource section in this file shows that it contains an encrypted payload with a decryptor embedded. We will show how the malware gets active once it has successfully infected the user32.dll file.

EntryPoint patchedThe code in the entrypoint of an infected user32.dll is patched with a jump to AlignRects, as can be seen below:

The code at AlignRects is not the original, but is replaced with code that allocates a new block of executable memory. Hereafter it copies the encrypted payload from the resource section to this newly allocated memory.

As can be seen from this code an executable block of memory is allocated. In order to do that, the address of NtAllocateVirtualMemory is calculated using the address of NtQueryVirtualMemory, which was obtained from the IAT of user32.dll.

The encrypted payload is copied into the newly allocated range of memory. This encrypted payload contains a small piece of decryption code, located near the end of the encrypted payload. This decryption code is shown below:

The decryption of the payload uses a XOR based decryption scheme were the XOR value for each byte to decrypt is incremented after each operation.

Once all bytes in the allocated memory range are decrypted, the now plain code is executed. Note the first two instructions of this decryption code, where a call/pop combination is used to obtain the current address.

This makes the decryption code position independent. The only ‘fixed’ values in this code are the size of the encrypted payload and the XOR key, so automating the payload and decryptor to avoid static detection can be easily accomplished.

Once the ransomware becomes active, some typical ransomware behavior is performed:

Windows Safe Mode is disabled

Task Manager is blocked

Command Prompt is blocked

Registry Editor is blocked

… and of course the police themed picture is shown where a ransom fee is demanded in order to release the PC (see picture at the top of this article).

Victims can use the very easy-to-use HitmanPro.Kickstart to get rid of police themed ransomware infection.

Blocking CD-ROM drivesA new property of this particular ransomware is that it disables CD-ROM drives. This makes it for some computers harder to clean the system as is explained below.

When HitmanPro detects a system file that is infected, it searches for a white-listed variant on the computer. This as Windows tends to keep a copy of system files on multiple locations on the hard disk.
If HitmanPro cannot find a white-listed known safe version, it prompts for the Windows installation CD/DVD media that came with the computer. This is a very useful feature of HitmanPro and it has been in HitmanPro for years to return infected system files to pristine state!

But since this new ransomware infection blocks access to the CD/DVD the user can no longer provide the Windows installation media for original files.

New Cloud Service
EDIT: HitmanPro build 219 (or newer) queries a new HitmanPro-cloud service that can provide a clean system file so that the user no longer has to provide Windows installation media.

Last Friday security researchers from Fox-IT noticed that Yahoo was inadvertently spreading malware via its advertisement services. Last Monday the Israel-based security company Light Cyber spread a much hyped press release that most of the malware was used to mine Bitcoins. I am personally a bit surprised that the BBC, The Guardian and even Interpol tweeted about it, as Light Cyber provided little to no details or evidence.

The story is not completely wrong but, when you read those articles, the perception now is that the entire attack revolved around Bitcoin mining, which is false.

We saw the Bitcoin miner too but omitted it from our initial excerpt because, according to our own telemetry, only 4% of the victims that we rescued received this malware. And contrary to popular belief, click fraud and banking malware is a lot faster lucrative than mining Bitcoins with malware, as a miner likely requires specific hardware to be effective and that it will not survive long on a victim’s computer. In fact, this miner is easily picked up by antivirus software. And infected users will certainly notice the stressed out processor and/or GPU, which seriously hinders normal work or gaming.

Let me provide some useable evidence.

Citadel
We found that a Citadel trojan in this attack pulled in the Bitcoin miner about a minute after the PC got infected. Citadel is based on the Zeus banking malware, also known as Zbot. It typically creates a random folder under the %AppData% folder and has a random filename of typically 5 or 6 characters, e.g.:

C:\Users\<user>\AppData\Roaming\Iquha\ruyvy.exe

On each victim computer this malware is uniquely obfuscated to evade antivirus detection.

cgminerThe Bitcoin miner, however, is actually a wrapped version of an abused legitimate tool called cgminer, version 3.7.2 to be exact. Cgminer is a multi-threaded multi-pool FPGA and ASIC miner and relies on the OpenCL framework to perform the hashing computations for Bitcoin mining. OpenCL is mandatory for cgminer, which is by default not installed on Windows computers. This means that cgminer only works/affects machines with the OpenCL SDK installed or with special gaming-oriented hardware, as OpenCL.dll only comes standard with certain display drivers from AMD and NVIDIA.

In this attack, the cgminer malware was installed here:

C:\JvaApp\wdsdll.exe

When the victim computer is equipped with a modern GPU, this tool can produce hash rates orders of magnitude higher than what can be achieved with just a CPU. If the computer doesn’t have a capable GPU to speed up mining it returns “clDevicesNum returned error, no GPUs usable”.

The miner uses libcurl for communication with a mining pool. Libcurl is also legitimate software.

So the attackers do not have a 2.5-million-large Bitcoin mining network (or ‘bitnet’). This ‘bitnet’ is also not as effective as some think. A single infected computer with e.g. a decent NVIDIA GTX 560 Ti display card would take a week to generate EUR €0,1430 (at about 85.1 MHash/sec). We do not have hardware specifications of any or all victim computers, so let’s assume (hypothetically) that 1/4 of these infected machines would have this special NVIDIA display card. Also assuming that the miner would not have been noticed by antivirus software or the user, this ‘bitnet’ of 25,000 computers (1/4 of 4% of 2.5 million) would have generated about 5.5 BTC, or EUR €3,575 at the current exchange rate of the virtual currency.

The created perception that Bitcoin mining was the driving force behind the Yahoo attack is just plain wrong. The attack is about the people who earned a lot by offering their malware staging area at Yahoo to a multitude of criminals. Hence the enormous variety of malware. Surely, malware designed to steal your identity or banking credentials is far more threatening than malware which only takes a toll on your computers speed.

We have been pretty busy with a lot of new exciting technology that we are introducing next month, so our blog did not get as much attention as it should. But yesterday, an interesting malvertising campaign on Yahoo drew my attention.

Yahoo is the #4 website in the world and with literally millions of daily visitors and users, Yahoo is a high-profile target for malvertising.

Fox-IT already wrote a great blog entry mainly about the network details of the attack. But since there is also a lot to tell about the malware I decided to spend my Sunday to do some digging in our databases and write some details about it.

Discovery
Lennart Haagsma (@lennarthaagsma) and Maarten van Dantzig (@MaartenVDantzig) from Fox-IT’s Security Operations Center were the guys that sent out the first tweet about this on January 3rd, 2014: the ads.yahoo.com host, associated with advertisements and tracking, was infecting visitors of Yahoo Mail.

Our own telemetry and research confirmed this and I immediately started to send out additional information on Twitter and share some malware details with the security community.

Below a screenshot of Fiddler showing the recorded drive-by infection, proofing that Yahoo was indeed infecting its visitors through a malicious iframe:

Sharing Information
We also shared some initial information with the Dutch National Cyber Security Center (NCSC) so they could combine it with data from Fox-IT.

The NCSC sent out a warning message to contacts at key infrastructure and important computer networks in The Netherlands, so technicians could add firewall rules to block the attack. This, because the malware used in the attack were slipping passed security defenses, which we can confirm thanks our HitmanPro agents on millions of computers in the world. Our software has detected Yahoo-related malware on computers protected by up-to-date antivirus software.

HitmanPro
If you are unfamiliar with our HitmanPro software: it is a small anti-malware tool that functions as a second-opinion for your antivirus software to reveal undetected threats.

HitmanPro works on-demand and is purpose-built to be compatible with other antivirus programs. Its behavior and forensic analysis are designed to pick up threats without requiring prior knowledge of malware attacks, commonly called virus signatures.

Here an example of how HitmanPro gives you insight on how the attack happened, even days after the incident:

About the MalwareThanks to the telemetry coming from HitmanPro we are able to compile a list of threats that were used in the attack staged from Yahoo’s own servers.

Our systems detected the first threats associated with this malware campaign on Monday December 30th, 2013 (now 6 days ago). This means that a lot more users are infected than initially thought (4 days x 24 hours x 27,000 infections = 2.5 million infected computers).

The attackers made good use of Yahoo’s reputation and installed many different malware, which leads us to believe there are more interested criminals involved (a so-called Pay-Per-Install operation). An excerpt with some background information:

Once executed by the exploit kit, this malware installs itself in the C:\Windows\Fonts folder. The Fonts folder is a special folder and shows only fonts in Windows Explorer. The malware executable doesn’t come up in the contents list so the user is not able to access it manually. The publisher of the malware executable was also set to Symantec Corporation DB in an attempt to fool users who were somehow able to to access it.
This malware program is causing click fraud and causes high CPU usage. It runs multiple hidden web browser processes to open web pages with ads belonging to the affiliate ID of the criminal. The program is started each hour through the Windows Task Scheduler:

The purpose of this malware downloads additional malware and enables backdoor access and control of your computer. It also capable of disabling antivirus software and injects itself in other system processes. It typically installs itself in C:\Windows\Installer\<random GUID>\

The most interesting feature of this malware, I think, is that it creates a so-called hollow process to conceal its presence. In this case it spawns and abuses a legitimate Windows Calculator process (calc.exe) and does an in-memory replacement of the original contents with the malicious code. For the operating system and the user it looks like the original calc.exe is running, while in fact the calc.exe process has been transformed into Dorkbot. This Windows Calculator process now has unusual capabilities, like HTTP and DNS interception:

This particular malware employs NTFS encryption in an attempt to stay hidden from low level virus scans. A low level scan, like HitmanPro’s Direct Disk Access method, does not use the higher level Windows API’s to scan the disk for malware, because, usually, the higher level Windows API’s are manipulated by malware to evade detection.

Exploiting Java vulnerabilities
Normally, software cannot be installed on a computer without the owner’s consent. If someone would like to silently install software on your computer they would need to find and abuse a vulnerability on your computer – remember Stuxnet, which similarly abused a software vulnerability to hit Iran nuclear plant staff computers.

But practically, every computer has vulnerabilities, even yours. And for online criminals to be effective, they target multiple vulnerabilities to maximize their campaign.

The Magnitude exploit kit makes this possible, which is a favored tool since the arrest of Paunch (the creator the notorious Blackhole exploit kit).

Yahoo’s servers were used as staging area, redirecting visitors to an attack page with the Magnitude exploit kit. The exploit kit was configured to exploit vulnerabilities in Java Runtime to infect Yahoo’s users with malware.

Java is the #1 target since millions of computers still run outdated vulnerable versions of it, caused by the lack of a silent automatic update feature in Java. Also, many people and companies are unable to upgrade to the latest version of Java because they rely on custom software that will no longer work once Java is updated.

So these users rely on antivirus software to keep their computers safe. But since attackers tailor and continuously update their malware they effectively go undetected by many antivirus software.

We’ve seen at least these Java exploits used in the Yahoo malvertising campaign:

CNETI saw CNET reporting that users had to click on an malicious ad to get infected, but this is not true. Below, side by side, an uninfected Yahoo advertisement and the infected one. Victims did not click on the ads to get infected and also explains the high infection numbers from the Fox-IT research.

Scan your computerNot every ad on the Yahoo advertisement network contained the malicious iframe, but if you have an outdated version of Java Runtime (you can check here) and you used Yahoo Mail the last 6 days, your computer is likely infected.

In addition, we also received reports that the malware was spreading through ads in Yahoo Messenger as well. So if you used Yahoo’s services lately, it’s a good idea to scan your computer for malware.

Our HitmanPro software has already helped many Yahoo visitors in these countries: Australia, Germany, Spain, France, Greece, Hungary, Ireland, Israel, Italy, Croatia, The Netherlands, Poland, The United Kingdom and The United States. In most of those scans our HitmanPro anti-malware software also found other malware unrelated to the Yahoo incident, which means it is always a good idea to regularly perform a second opinion scan with a tool from a different security vendor.

ZeroAccess Bag of TricksWe’ve blogged a few times before about the tricks of the ZeroAccess malware family (aka ZAccess/Sirefef/Max++). For example, in July 2011 we blogged about ZeroAccess injecting a deadly payload into antivirus products and in June 2012 we blogged about ZeroAccess hiding its malicious code in an NTFS Extended Attribute.

Reparse Point
Recently a new ZeroAccess variant is spreading which employs a new trick to disable antivirus products. Specifically, the new variant places NTFS Reparse Points on the files of an antivirus causing access to the files to be redirected.

In the following screenshots (using the tool called Junction from Mark Russinovich, Sysinternals) you can see that ZeroAccess has placed a Reparse Point (type Symbolic Link) on the files of Microsoft Security Essentials. These reparse points redirect file access to a different location, disabling Microsoft Security Essentials:

Also using the ordinary dir-command you can see that redirection to [c:\windows\system32\config] is in place:

File Permissions
In addition to setting Reparse Points, ZeroAccess also strips the permissions from the files as can be seen in the following screenshot:

To the rescueOn May 23rd we’ve released HitmanPro build 198 that removes the reparse points from Windows Defender and Microsoft Security Essentials. Also the permissions on the files are restored by HitmanPro.

Here a video showing the Redirection of the files belonging to Windows Defender and Microsoft Security Essentials:

The repair of Windows Defender and Microsoft Security Essentials by HitmanPro is free.

DownloadExisting users of HitmanPro are automatically updated to the latest version while new users can download HitmanPro from here: get.hitmanpro.com.